Skip to content

« Security Advisories » blog posts

Have found a security issue in Symfony? Send the details to security [at] symfony.com and don't disclose it publicly until we can provide a fix for it.

Manage your notification preferences to receive an email as soon as a Symfony security release is published.

Path Traversal in symfony/ux-toolkit Allows Arbitrary File Write and Read via Crafted Recipe Manifest
June 19, 2026 #Security Advisories
XSS in symfony/ux-icons via unsanitized SVG content in local files and Iconify on-demand responses
June 19, 2026 #Security Advisories
Denial of service in symfony/ux-live-component via unbounded batch action requests
May 29, 2026 #Security Advisories
XSS in symfony/ux-live-component via attacker-controlled child component tag
May 29, 2026 #Security Advisories
Information exposure via unescaped LIKE wildcards in EntitySearchUtil
May 29, 2026 #Security Advisories 👍 1
CSRF Protection Bypass in symfony/ux-live-component: Accept Header is CORS-Safelisted
May 29, 2026 #Security Advisories
XSS in symfony/ux-autocomplete via unescaped AJAX response data
May 29, 2026 #Security Advisories
LiveComponentHydrator HMAC checksum lacks component and slot binding
May 29, 2026 #Security Advisories 👍 1
Format-less date LiveProps parsed with the permissive DateTime constructor
May 29, 2026 #Security Advisories
Sandbox filter, tag and function allow-list bypass when sandbox state changes between renders for a cached `Template`
May 27, 2026 #Security Advisories